Credit unions use technology that's constantly evolving, so it makes sense for their security strategies to evolve as well.
As credit unions consider moves to boost their security in 2011, they may want to consider the 12 annual recommendations offered by Forrester Research of Cambridge, Mass., in a new report titled, "Twelve Recommendations for Your 2011 Security Strategy."
This year's recommendations fall into three categories: Governance strategy development, security process maturing and analytics and reporting improvement. Together, the 12 recommendations can help firms accomplish two important goals - develop a strong core business structure and better insight into the IT environment.
"In 2011, as you prioritize your initiatives, avoid the temptation to focus only on day-to-day tactical activities and operations," analyst Khalid Kark said. "Forrester recommends that you focus on some structural issues that will ultimately help you build a great security organization and program. Forrester also recommends that you focus on the initiatives that can give you more visibility into the IT environment so that you can analyze and develop preventative measures for protecting your organization."
Financial services security managers are under more pressure than ever to perform, Kark said. That includes business environments that place high demands on security teams, more sophisticated, targeted security threats and tech-savvy, "empowered" employees who create a need for more security controls.
"As we engaged with security leaders during the past 12 months, it quickly became clear that most were struggling to align more closely with the business, to deal with the changing threat landscape, and to support the rising adoption of social technologies, employee-owned mobile devices, and cloud services," Kark said.
Forrester also finds that security leaders' plans do not align with their biggest security success roadblocks. Their top challenges are staff shortages and tight budgets, plus the fact that security isn't high on their priority lists, but their strategies involve tactical activities. For example, many firms focus on acquiring data security tools, improving threat defense strategies, preparing for disaster recovery and fulfilling regulatory compliance mandates.
"Despite the fact that the top three challenges all relate to business orientation and alignment, for the next 12 months leaders across North America and Europe do not plan to focus on efficiency, better reporting or IT alignment," Kark said. "Instead, most security leaders plan to focus on reactive areas."
Urging firms to take their strategies in a different direction, Forrester outlines 12 recommendations to help them reach goals of improving business structure and developing better insight into the IT environment.
The first category of recommendations, governance strategy development, addresses the growing number of technologically empowered employees. Forrester suggests firms utilize the services of cloud providers, given they'll keep firms' data safe.
Next, Kark recommends organizations develop a security strategy for post-PC electronic devices that provides control but still allows for flexibility and innovation. They should also develop policies and governance strategies for social technology, and work closely with their counterparts in sourcing and vendor management.
"Social, mobile, video and cloud technologies are part of a groundswell movement that has taken hold of organizations, propelling waves of innovation and business transformations," Kark said. "Security can no longer block or impede this momentum."
Forrester's next four recommendations involve the maturing of existing security processes. "As the threat landscape has changed, chief information security officers (CISOs) found their existing processes inadequate or inefficient, leading them to ask, 'How can we measure and improve our existing processes to ensure better security?'" Kark said in his report.
Forrester offers four solutions for improving current security processes. First, manage the access users have to information; second, spend more time and resources on code reviews and configuration management, not patch management; third, develop preventative technologies; and fourth, develop a comprehensive, tested breach response plan.
The final set of recommendations encourages the improvement of reporting and analytics. First, test and validate all security controls regularly. Then, arm business leaders with accurate information about the security risks they face. Next, keep executives informed about the firm's "overall risk posture." And finally, consider the value of researching what other firms are doing to improve security.
"Many CISOs admit that finding relevant information from the realms of data that is churned out is like finding a needle in a haystack," Kark said. "CISOs need to ensure that their metrics and reporting efforts focus on three levels of decision making: operational, risk and business-centric."
Kark added that the annual list is not all-inclusive and may not correlate with what's going on at every enterprise. Rather, it's a place to begin.
"This list is a starting point," Kark said. "You must take from and add to it depending on your company's business objectives and identified risks."